sampledoc

AccountΒΆ

The account plugin manages authentication data, including

  • /etc/passwd
  • /etc/group
  • /etc/security/limits.conf
  • /etc/sudoers
  • /root/.ssh/authorized_keys

User access data is stored in three files in the Account directory:

  • superusers (a list of users who always have root privs)
  • rootlist (a list of user:host pairs for scoped root privs)
  • useraccess (a list of user:host pairs for login access)

SSH keys are stored in files named $username.key; these are installed into root’s authorized keys for users in the superusers list as well as for the pertitent users in the rootlike file (for the current system).

Authentication data is read in from (static|dyn).(passwd|group) The static ones are for system local ones, while the dyn. versions are for external synchronization (from ldap/nis/etc). There is also a static.limits.conf that provides the limits.conf header and any static entries.

Files in the Account directory:

<username>.key

Format: The SSH public key for user <username>.

If the user is in the “rootlike” or “superusers” group, these keys will be appended to /root/.ssh/auth

useraccess

Format: “user:hostname” on each line.

Describes who may login where (via PAMs /etc/security/limits.conf). Everybody else will be denied access.(?)

Example:

If Alice should be able to access host “foo”, Bob should access “foo” and “bar”:

alice:foo.example.com
bob:foo.example.com
bob:bar.example.com

rootlike

Format: “user:hostname” on each line.

Describes who will be allowed root access where. The user may login via public key and use sudo.

Example:

If Chris should be root only on host “foo”:

chris:foo.example.com

superusers

Format: usernames, separated by spaces or newlines. (Any whitespace that makes pythons split() happy.)

Describes who will be allowed root access on all hosts. The user may login via public key and use sudo.

Example:

Daniel, Eve and Faith are global admins:

daniel eve
faith

static.passwd, static.group

Format: Lines from /etc/passwd or /etc/group

These entries are appended to the passwd and group files (in addition to the auto-generated entries from “useraccess”, “rootlike” and “superusers” above) without doing anything else.

dyn.passwd, dyn.group

Format: Lines from /etc/passwd or /etc/group

Similar to “static.*” above, but for entries that are managed “on the network” (yp, LDAP, ...), so it is most likely periodically (re)filled.

static.limits.conf

Format: Lines from /etc/security/limit.conf

These limits will be appended to limits.conf (in addition to the auto-generated entries from “useraccess”, “rootlike” and “superusers” above).

static.sudoers

Format: Lines from /etc/sudoers

These lines will be appended to to sudoers file (in addition to the auto-generated entries from “useraccess”, “rootlike” and “superusers” above).

Previous topic

Deps

Next topic

Cfg

This Page